Following the journey of targeting low-hanging fruits in Joomla plugins, this issue was discovered to pose Hikashop’s users to a low risk by allowing arbitrary JavaScript code being injected from the control panel.